CN110830490A - Malicious domain name detection method and system based on area confrontation training deep network - Google Patents
Malicious domain name detection method and system based on area confrontation training deep network Download PDFInfo
- Publication number
- CN110830490A CN110830490A CN201911111270.9A CN201911111270A CN110830490A CN 110830490 A CN110830490 A CN 110830490A CN 201911111270 A CN201911111270 A CN 201911111270A CN 110830490 A CN110830490 A CN 110830490A
- Authority
- CN
- China
- Prior art keywords
- domain name
- malicious
- malicious domain
- sample
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 37
- 238000012549 training Methods 0.000 title claims abstract description 36
- 230000003042 antagnostic effect Effects 0.000 claims abstract description 9
- 230000006870 function Effects 0.000 claims description 14
- 230000006399 behavior Effects 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 6
- 230000015654 memory Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 13
- 230000007123 defense Effects 0.000 abstract description 2
- 238000007781 pre-processing Methods 0.000 abstract description 2
- 230000000694 effects Effects 0.000 description 3
- 230000006403 short-term memory Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000007787 long-term memory Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000001537 neural effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Mathematical Physics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a malicious domain name detection method and a system based on a deep network with antagonistic training, wherein the method comprises the following steps: (1) acquiring a malicious domain name sample; (2) preprocessing a malicious domain name sample; (3) training a network model, namely selecting C-RNN-GAN to generate an antagonistic network model; (4) obtaining a suspicious domain name sample; (5) judging and outputting; (6) and judging the suspicious domain name. The invention discloses a malicious domain name detection method and system based on a deep network with countermeasure training, which utilize the characteristic of generating the countermeasure network to obtain a discriminator for calculating the truth of a domain name through the countermeasure training. The discriminator judges the robustness according to the multidimensional characteristics behind the domain name sample and can be used as a classifier for malicious domain name detection. The invention adopts the method of generating the countermeasure network, learns the data characteristics behind the malicious domain name sample, is fully suitable for the actual situation of attack and defense countermeasures of network security, and can realize self-learning and self-improvement. The accuracy of domain name classification is effectively improved.
Description
Technical Field
The invention relates to the technical field of artificial intelligence and control, in particular to a malicious domain name detection method and system based on a deep network with confrontation training.
Background
The Domain Name System (DNS for short) is a part of the whole internet, completes the mutual mapping between the IP address and the Domain Name, and is used for resolving the Domain Name into the IP address during network communication, thereby facilitating the memory and use. If the DNS configuration is not reasonable, the network speed is slow, the website cannot be opened, and malicious DNS even causes malicious behaviors such as advertisement popup, fraud, monitoring, hijack modification and the like.
In recent years, the security problem of DNS has been frequent. The DNS is used as the most huge and complicated distributed database in the world, and due to the characteristics of openness, complexity, bulkiness and the like, and the security of the DNS is not considered at the beginning of design, and human destruction, the DNS is difficult to deal with increasingly complicated modern communication networks, and the DNS faces a very serious security threat. Among the more common security threats are DNS spoofing and distributed denial of service attacks. DNS spoofing refers to a server making a wrong domain name resolution for a wrong domain name request. DNS spoofing can cause a number of security issues, such as directing users to phishing websites, fraud websites, and the like. Distributed Denial of Service (DDoS) is also one of the security threats faced by DNS, and it uses vulnerabilities of network protocols and operating systems, and adopts deception and disguise strategies to perform network attacks, so that the server exhausts computing resources and cannot process network requests of legitimate users. Such as botnets and the like. Therefore, how to solve the security problem of the DNS and to find an effective solution is one of the problems that the current DNS is urgently to solve.
In order to solve the DNS security problem, various solutions are proposed, in which domain name detection is more common, that is, the credibility of the current suspicious domain name is comprehensively calculated, and whether the current domain name is legal or not is detected. Domain name detection can be divided into two categories, knowledge-based and machine learning-based. The knowledge-based method performs suspicious domain name detection by calculating the probability that domain names appear together. Although the method has high detection accuracy, a large amount of expert knowledge is required, and the detection recall ratio cannot meet the requirement and the malicious domain name is missed because the method is limited by insufficient expert knowledge; the traditional machine learning-based method requires a large amount of sample marking data, and algorithms such as clustering, support vector machines and decision trees are used for calculation and classification. Therefore, a new method needs to be provided, which combines the advantages of the two methods to make up for the deficiencies of the two methods, so as to obtain a better domain name detection effect.
Disclosure of Invention
The invention aims to provide a malicious domain name detection method and system based on a deep network with confrontation training, which effectively improve the accuracy of malicious domain name detection.
In order to achieve the above object, the present invention provides the following technical solutions: a malicious domain name detection method based on a band countermeasure training deep network comprises the following steps:
(1) obtaining a malicious domain name sample, namely obtaining threat intelligence from a threat intelligence platform, extracting a malicious domain name in the threat intelligence platform, inquiring relevant dimension information of the malicious domain name, screening the malicious domain name with a network attack category and high confidence coefficient according to malicious behaviors, forming a malicious domain name sample, and establishing a malicious domain name sample set;
(2) training a network model, namely selecting C-RNN-GAN to generate an antagonistic network model, wherein the network model comprises a generator and a discriminator, and training by using a malicious domain name sample set as the input of the network model;
(3) obtaining a suspicious domain name sample, and inquiring relevant dimension information of a suspicious domain name to form a suspicious domain name sample;
(4) judging and outputting, namely inputting a suspicious domain name sample to a trained discriminator of the network model to obtain a similarity value calculated currently;
(5) and judging the suspicious domain name, judging whether the similarity value is smaller than the current threshold value, if so, taking the suspicious domain name as a malicious domain name sample, adding the malicious domain name sample into the malicious domain name sample set, and if not, taking the suspicious domain name as a legal domain name.
Further, the relevant dimension information of the malicious domain name includes one or more of the following information:
website ranking information, which is Alexa website ranking information;
the page recording amount information comprises the number of Baidu recording pages, the number of dog searching recording pages and the number of necessary recording pages;
page integrity information, wherein 0 represents no information and 1 represents information;
registration place information, wherein 0 represents foreign registration and 1 represents domestic registration;
a records information, wherein 0 represents no record and 1 represents record;
CNAME record information, where 0 denotes no record and 1 denotes a record;
CDN usage record information, wherein 0 represents no usage record and 1 represents usage record;
update degree information, which is the number of updates of the malicious domain name;
wherein, the record information A is used for specifying the IP address record corresponding to the host name or the domain name; CNAME record information refers to alias records, and the records map a plurality of names to the same computer; the CDN usage record is a content delivery Network (Contentdelivery Network) usage record, and is an intelligent virtual Network established on the basis of the existing Network, so that a user can conveniently obtain required content nearby, Network congestion is reduced, and the access response speed and hit rate of the user are improved.
Further, the loss function of the generator and the arbiter is as follows:
wherein S isGIs a loss function of the generator for training the generator; sDIs a loss function of the arbiter for training the arbiter; g is a generator for generating a sample; d is a discriminator used for distinguishing real samples from generated samples; r is a presentation layer, the previous layer from the logic classification layer of the arbiter; x is the number ofiRepresenting a malicious domain name sample; z is a radical ofiIs a random sequence vector for the generator input, representing sample data from reality; n represents the current malicious intentNumber of domain name samples.
Further, both the generator and the arbiter use an LSTM long-short term memory network with a depth of 2.
Further, the threshold is updated in a threshold self-learning manner, and the formula is as follows:
at=min(d,at-1) Wherein a istIndicates the current threshold value, at-1D is the similarity value of the previous threshold.
The present invention also provides a malicious domain name detection system for the above malicious domain name detection method, including:
the data acquisition module is used for acquiring a malicious domain name sample and a suspicious domain name sample;
the data preprocessing module is used for screening malicious domain name samples to form a malicious domain name sample set;
the network model adopts C-RNN-GAN to generate an antagonistic network model, is used for training by taking a malicious domain name sample as input, takes a suspicious domain name sample as input and outputs a calculated value;
and the judging module is used for judging that the suspicious domain name is a malicious domain name or a legal domain name according to the calculated value and the threshold value.
Due to the application of the technical scheme, compared with the prior art, the invention has the following advantages: the invention discloses a malicious domain name detection method and system based on a deep network with countermeasure training, which utilize the characteristic of generating the countermeasure network to obtain a discriminator for calculating the truth of a domain name through the countermeasure training. The method and the system are fully suitable for the actual situation of attack and defense confrontation of network security, and can realize self-learning and self-improvement. The discriminator judges the robustness according to the multidimensional characteristics behind the domain name sample and can be used as a classifier for malicious domain name detection. The invention adopts the method of generating the countermeasure network to learn the data characteristics behind the malicious domain name sample, thereby effectively improving the accuracy of domain name classification.
Drawings
FIG. 1 is a flow chart of a malicious domain name detection method of the present invention;
FIG. 2 is a block diagram of a network model in the present invention;
fig. 3 is a structural diagram of a malicious domain name detection system in the present invention.
Detailed Description
The invention will be further described with reference to the following description of the principles, drawings and embodiments of the invention
In order to overcome the defects of the existing malicious domain name detection method and effectively improve the accuracy of malicious domain name detection, the invention provides a discriminator which utilizes the characteristic of generating a countermeasure network to obtain the true and false of the calculated data through countermeasure training. The discriminator judges the robustness according to the multidimensional characteristics behind the data sample and can be used as a classifier for malicious domain name detection. The method for generating the countermeasure network is adopted, so that the data characteristics behind the malicious sample are learned, and the accuracy of data classification is effectively improved.
Referring to fig. 1 to 3, as shown in the drawings, a malicious domain name detection method based on a deep network with countermeasure training includes the following steps:
(1) obtaining a malicious domain name sample, namely obtaining threat intelligence from a threat intelligence platform, extracting a malicious domain name in the threat intelligence platform, inquiring relevant dimension information of the malicious domain name, screening the malicious domain name with a network attack category and high confidence coefficient according to malicious behaviors, forming a malicious domain name sample, and establishing a malicious domain name sample set;
(2) training a network model, namely selecting C-RNN-GAN to generate an antagonistic network model, wherein the network model comprises a generator and a discriminator, and training by using a malicious domain name sample set as the input of the network model;
(3) obtaining a suspicious domain name sample, and inquiring relevant dimension information of a suspicious domain name to form a suspicious domain name sample;
(4) judging and outputting, namely inputting a suspicious domain name sample to a trained discriminator of the network model to obtain a similarity value calculated currently;
(5) and judging the suspicious domain name, judging whether the similarity value is smaller than the current threshold value, if so, taking the suspicious domain name as a malicious domain name sample, adding the malicious domain name sample into the malicious domain name sample set, and if not, taking the suspicious domain name as a legal domain name.
In a preferred embodiment of this embodiment, the relevant dimension information of the malicious domain name includes one or more of the following information:
website ranking information, which is Alexa website ranking information;
the page recording amount information comprises the number of Baidu recording pages, the number of dog searching recording pages and the number of necessary recording pages;
page integrity information, wherein 0 represents no information and 1 represents information;
registration place information, wherein 0 represents foreign registration and 1 represents domestic registration;
a records information, wherein 0 represents no record and 1 represents record;
CNAME record information, where 0 denotes no record and 1 denotes a record;
CDN usage record information, wherein 0 represents no usage record and 1 represents usage record;
update degree information, which is the number of updates of the malicious domain name;
wherein, the record information A is used for specifying the IP address record corresponding to the host name or the domain name; CNAME record information refers to alias records, and the records map a plurality of names to the same computer; the CDN usage record is a content delivery Network (Contentdelivery Network) usage record, and is an intelligent virtual Network established on the basis of the existing Network, so that a user can conveniently obtain required content nearby, Network congestion is reduced, and the access response speed and hit rate of the user are improved.
In a preferred embodiment of this embodiment, the loss function of the generator and the arbiter is as follows:
wherein S isGIs a loss function of the generator for training the generator; sDIs to judgeA loss function of the discriminator for training the discriminator; g is a generator for generating a sample; d is a discriminator used for distinguishing real samples from generated samples; r is a presentation layer, the previous layer from the logic classification layer of the arbiter; x is the number ofiRepresenting a malicious domain name sample; z is a radical ofiIs a random sequence vector for the generator input, representing sample data from reality; n represents the number of current malicious domain name samples.
In the preferred embodiment of this embodiment, both the generator and the arbiter use the LSTM long and short term memory network with a depth of 2.
In the preferred implementation manner in this embodiment, the threshold is updated in a threshold self-learning manner, and the formula is as follows:
at=min(d,at-1) Wherein a istIndicates the current threshold value, at-1D is the similarity value of the previous threshold.
The present invention also provides a malicious domain name detection system for the above malicious domain name detection method, including:
a data obtaining module 10, configured to obtain a malicious domain name screening sample and a suspicious domain name sample;
a network model 20 which adopts C-RNN-GAN to generate an antagonistic network model for training with malicious domain name samples as input and then with suspicious domain name samples as input and outputting a calculated value;
and the judging module 30 is configured to judge that the suspicious domain name is a malicious domain name or a legal domain name according to the calculated value and the threshold.
The following is a detailed explanation of the steps of the malicious domain name detection method:
obtaining data and dimension information thereof
Threat intelligence is obtained from a threat intelligence platform, wherein the threat intelligence comprises a plurality of information, and domain name information is one of core data. And extracting the relevant information of the malicious domain name according to the existing threat intelligence to obtain a malicious domain name sample library. Inquiring Alexa website ranking information according to domain name associated information collected by a malicious domain name sample library, wherein Alexa website ranking is a website visit amount evaluation index which is authoritative at present, and inputting a fixed numerical value if the ranking information of the domain name cannot be inquired; the recording information of the Baidu and the search dog represents the recording condition of a website page and the like by a search engine, and if the information cannot be inquired, the value of the current dimension is set to be 0; necessary recording information; integrity of the web site, and the like. Detailed dimensional information is shown in the following table.
| Dimension (d) of | Name (R) | Processing method |
| 1 | Alexa ranking | Obtaining Alexa website ranking information |
| 2 | Baidu radio | Acquiring quantity information of website recording pages |
| 3 | Dog searching and recording | Acquiring quantity information of website recording pages |
| 4 | Must be collected and recorded | Acquiring quantity information of website recording pages |
| 5 | Web page content integrity | Detecting the integrity of the webpage content, wherein 0 represents no information,1 indicates having information |
| 6 | Registry detection | 0 denotes foreign registration and 1 denotes domestic registration |
| 7 | A record | 0 indicates no recording, 1 indicates recording |
| 8 | CNAME | 0 indicates no recording, 1 indicates recording |
| 9 | CDN | 0 indicates no usage record, and 1 indicates |
| 10 | Degree of domain name update | Detecting the number of updates of a current domain name |
Data cleansing
Malicious activities are classified into a variety of categories including spreading malware, sending spam, fraud and phishing, etc. While the definition of malicious behavior is different at different security levels. For example, sending spam may normally be defined as a malicious activity, but at a lower level of security, spam may not be as malicious as described above. Therefore, it is necessary to screen malicious behaviors and malicious domain names in threat intelligence, and to emphasize selection of malicious domain name samples with high network attack scope and confidence, and establish a malicious domain name sample library. And taking the domain name list and the domain name related dimension information as a sample set X of the confrontation training neural generation confrontation network.
Establishing a generative confrontation network
The generation of the confrontation network adopts a generation confrontation network structure of a Continuous cyclic neural network (C-RNN-GAN for short) with confrontation training. The C-RNN-GAN generation countermeasure network is a deep cycle generation countermeasure network with countermeasure training. According to the countermeasure idea, a distribution creation generator G and a discriminator D. The generator G generates as much sample data as possible the same as the real sample data x, and the discriminator D distinguishes whether it is the generated sample data or the real sample data as much as possible. For the malicious domain name information sample set, the generator and the discriminator respectively adopt a Long Short-Term Memory (LSTM) network with the depth of 2, and the Long Short-Term Memory (LSTM) network is used for processing discrete real data in the sample set and learning the characteristics of the real sample data.
Training to generate an antagonistic network
And defining a loss function according to the set model structure. Due to the adopted concept of generating the countermeasure, and using a deep loop network as the structure of the generating countermeasure network of the generator G and the discriminator D. Thus, the loss function is defined as follows:
wherein S isGIs a loss function of the generator for training the generator; sDIs a loss function of the arbiter for training the arbiter; g is a generator for generating a sample; d is a discriminator used for distinguishing real samples from generated samples; r is a presentation layer, the previous layer from the logic classification layer of the arbiter; z is a radical ofiIs a random sequence vector for the generator input; representing sample data from reality; n represents the number of current samples.
And setting hyper-parameters to train the whole model according to the defined loss function.The input data is from a sample set X, the format of the input data is (X)1,x2,…,xn)。
Detecting suspicious domain names
Training is well carried out to generate the confrontation network, and the discriminators in the confrontation network are extracted. Relevant information for the suspect domain name is entered and must have information for all dimensions of the data. And inputting the similarity into a discriminator to obtain a value d of the currently calculated similarity.
Threshold adaptive intelligent learning
Since the size of the threshold α for classification to malicious domain names cannot be determined manually, a threshold self-learning approach is used.
at=min(d,at-1) Wherein a istIndicates the current threshold value, at-1D is the similarity value of the previous threshold.
And selecting a test set to test the trained model, comparing the similarity value of each test sample obtained by the discriminator D with the previous threshold value, selecting the smaller value of the similarity value and the new threshold value as a new threshold value, continuously self-learning, and obtaining the most reasonable threshold value for malicious domain name detection of the current sample set.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (6)
1. A malicious domain name detection method based on a deep network with countermeasure training is characterized by comprising the following steps:
(1) obtaining a malicious domain name sample, namely obtaining threat intelligence from a threat intelligence platform, extracting a malicious domain name in the threat intelligence platform, inquiring relevant dimension information of the malicious domain name, screening the malicious domain name with a network attack category and high confidence coefficient according to malicious behaviors, forming a malicious domain name sample, and establishing a malicious domain name sample set;
(2) training a network model, namely selecting C-RNN-GAN to generate an antagonistic network model, wherein the network model comprises a generator and a discriminator, and training by using a malicious domain name sample set as the input of the network model;
(3) obtaining a suspicious domain name sample, and inquiring relevant dimension information of a suspicious domain name to form a suspicious domain name sample;
(4) judging and outputting, namely inputting a suspicious domain name sample to a trained discriminator of the network model to obtain a similarity value calculated currently;
(5) and judging the suspicious domain name, judging whether the similarity value is smaller than the current threshold value, if so, taking the suspicious domain name as a malicious domain name sample, adding the malicious domain name sample into the malicious domain name sample set, and if not, taking the suspicious domain name as a legal domain name.
2. The malicious domain name detection method according to claim 1, wherein the relevant dimension information of the malicious domain name includes one or more of the following information:
website ranking information, which is Alexa website ranking information;
the page recording amount information comprises the number of Baidu recording pages, the number of dog searching recording pages and the number of necessary recording pages;
page integrity information, wherein 0 represents no information and 1 represents information;
registration place information, wherein 0 represents foreign registration and 1 represents domestic registration;
a records information, wherein 0 represents no record and 1 represents record;
CNAME record information, where 0 denotes no record and 1 denotes a record;
CDN usage record information, wherein 0 represents no usage record and 1 represents usage record;
update degree information, which is the number of updates of the malicious domain name;
wherein, the record information A is used for specifying the IP address record corresponding to the host name or the domain name; CNAME record information refers to alias records, and the records map a plurality of names to the same computer; the CDN usage record is a content delivery Network (Contentdelivery Network) usage record, and is an intelligent virtual Network established on the basis of the existing Network, so that a user can conveniently obtain required content nearby, Network congestion is reduced, and the access response speed and hit rate of the user are improved.
3. The malicious domain name detection method according to claim 1, wherein the loss functions of the generator and the discriminator are as follows:
wherein S isGIs a loss function of the generator for training the generator; sDIs a loss function of the arbiter for training the arbiter; g is a generator for outputting a generated sample; d is a discriminator used for distinguishing real samples from generated samples; r is a presentation layer, the previous layer from the logic classification layer of the arbiter; x is the number ofiRepresenting a malicious domain name sample; z is a radical ofiIs a random sequence vector for the generator input, representing sample data from reality; n represents the number of current malicious domain name samples.
4. The malicious domain name detection method according to claim 1, wherein the generator and the discriminator both employ an LSTM long-short term memory network with a depth of 2.
5. The malicious domain name detection method according to claim 1, wherein the threshold is updated in a threshold self-learning manner, and the formula is as follows:
at=min(d,at-1) Wherein a istIndicates the current threshold value, at-1The threshold value of the previous time is used,d is a similarity value.
6. A malicious domain name detection system for the malicious domain name detection method according to any one of claims 1 to 5, comprising:
the data acquisition module is used for acquiring a screening malicious domain name sample and acquiring a suspicious domain name sample;
the network model is used for generating an antagonistic network model by adopting the C-RNN-GAN, training by taking a malicious domain name sample as input, then taking a suspicious domain name sample as input and outputting a calculated value;
and the judging module is used for judging that the suspicious domain name is a malicious domain name or a legal domain name according to the calculated value and the threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911111270.9A CN110830490B (en) | 2019-11-14 | 2019-11-14 | Malicious domain name detection method and system based on area confrontation training deep network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911111270.9A CN110830490B (en) | 2019-11-14 | 2019-11-14 | Malicious domain name detection method and system based on area confrontation training deep network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110830490A true CN110830490A (en) | 2020-02-21 |
| CN110830490B CN110830490B (en) | 2022-08-02 |
Family
ID=69555004
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911111270.9A Active CN110830490B (en) | 2019-11-14 | 2019-11-14 | Malicious domain name detection method and system based on area confrontation training deep network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110830490B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112217787A (en) * | 2020-08-31 | 2021-01-12 | 北京工业大学 | Method and system for generating mock domain name training data based on ED-GAN |
| CN114006752A (en) * | 2021-10-29 | 2022-02-01 | 中电福富信息科技有限公司 | DGA domain name threat detection system based on GAN compression algorithm and training method thereof |
| CN114095212A (en) * | 2021-10-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Method and device for countertraining DGA domain name detection model |
| CN114205095A (en) * | 2020-08-27 | 2022-03-18 | 极客信安(北京)科技有限公司 | Encrypted malicious traffic detection method and device |
| CN114726823A (en) * | 2022-05-18 | 2022-07-08 | 北京金睛云华科技有限公司 | Domain name generation method, device and equipment based on generation countermeasure network |
| CN115022001A (en) * | 2022-05-27 | 2022-09-06 | 中国电子信息产业集团有限公司第六研究所 | Method and device for training domain name recognition model, electronic equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106022132A (en) * | 2016-05-30 | 2016-10-12 | 南京邮电大学 | Real-time webpage Trojan detection method based on dynamic content analysis |
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| CN109584221A (en) * | 2018-11-16 | 2019-04-05 | 聚时科技(上海)有限公司 | A kind of abnormal image detection method generating confrontation network based on supervised |
| US20190197358A1 (en) * | 2017-12-21 | 2019-06-27 | International Business Machines Corporation | Generative Adversarial Network Medical Image Generation for Training of a Classifier |
| CN110012019A (en) * | 2019-04-11 | 2019-07-12 | 鸿秦(北京)科技有限公司 | A kind of network inbreak detection method and device based on confrontation model |
| CN110210226A (en) * | 2019-06-06 | 2019-09-06 | 深信服科技股份有限公司 | A kind of malicious file detection method, system, equipment and computer storage medium |
| CN110362997A (en) * | 2019-06-04 | 2019-10-22 | 广东工业大学 | A kind of malice URL oversampler method based on generation confrontation network |
| CN110363243A (en) * | 2019-07-12 | 2019-10-22 | 腾讯科技(深圳)有限公司 | The appraisal procedure and device of disaggregated model |
-
2019
- 2019-11-14 CN CN201911111270.9A patent/CN110830490B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106022132A (en) * | 2016-05-30 | 2016-10-12 | 南京邮电大学 | Real-time webpage Trojan detection method based on dynamic content analysis |
| US20190197358A1 (en) * | 2017-12-21 | 2019-06-27 | International Business Machines Corporation | Generative Adversarial Network Medical Image Generation for Training of a Classifier |
| CN108322349A (en) * | 2018-02-11 | 2018-07-24 | 浙江工业大学 | The deep learning antagonism attack defense method of network is generated based on confrontation type |
| CN109584221A (en) * | 2018-11-16 | 2019-04-05 | 聚时科技(上海)有限公司 | A kind of abnormal image detection method generating confrontation network based on supervised |
| CN110012019A (en) * | 2019-04-11 | 2019-07-12 | 鸿秦(北京)科技有限公司 | A kind of network inbreak detection method and device based on confrontation model |
| CN110362997A (en) * | 2019-06-04 | 2019-10-22 | 广东工业大学 | A kind of malice URL oversampler method based on generation confrontation network |
| CN110210226A (en) * | 2019-06-06 | 2019-09-06 | 深信服科技股份有限公司 | A kind of malicious file detection method, system, equipment and computer storage medium |
| CN110363243A (en) * | 2019-07-12 | 2019-10-22 | 腾讯科技(深圳)有限公司 | The appraisal procedure and device of disaggregated model |
Non-Patent Citations (2)
| Title |
|---|
| 王琦等: ""基于词嵌入与生成对抗网络的垃圾邮件分类算法"", 《南京工程学院学报(自然科学版)》 * |
| 袁辰等: ""基于生成对抗网络的恶意域名训练数据生成"", 《计算机应用研究》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114205095A (en) * | 2020-08-27 | 2022-03-18 | 极客信安(北京)科技有限公司 | Encrypted malicious traffic detection method and device |
| CN114205095B (en) * | 2020-08-27 | 2023-08-18 | 极客信安(北京)科技有限公司 | Method and device for detecting encrypted malicious traffic |
| CN112217787A (en) * | 2020-08-31 | 2021-01-12 | 北京工业大学 | Method and system for generating mock domain name training data based on ED-GAN |
| CN112217787B (en) * | 2020-08-31 | 2022-11-04 | 北京工业大学 | Method and system for generating mock domain name training data based on ED-GAN |
| CN114006752A (en) * | 2021-10-29 | 2022-02-01 | 中电福富信息科技有限公司 | DGA domain name threat detection system based on GAN compression algorithm and training method thereof |
| CN114095212A (en) * | 2021-10-29 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Method and device for countertraining DGA domain name detection model |
| CN114095212B (en) * | 2021-10-29 | 2023-09-01 | 北京天融信网络安全技术有限公司 | Method and device for countertraining DGA domain name detection model |
| CN114726823A (en) * | 2022-05-18 | 2022-07-08 | 北京金睛云华科技有限公司 | Domain name generation method, device and equipment based on generation countermeasure network |
| CN114726823B (en) * | 2022-05-18 | 2022-08-30 | 北京金睛云华科技有限公司 | Domain name generation method, device and equipment based on generation countermeasure network |
| CN115022001A (en) * | 2022-05-27 | 2022-09-06 | 中国电子信息产业集团有限公司第六研究所 | Method and device for training domain name recognition model, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110830490B (en) | 2022-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110830490B (en) | Malicious domain name detection method and system based on area confrontation training deep network | |
| Moustafa et al. | An ensemble intrusion detection technique based on proposed statistical flow features for protecting network traffic of internet of things | |
| Khalil et al. | Discovering malicious domains through passive DNS data graph analysis | |
| CN112738015B (en) | Multi-step attack detection method based on interpretable convolutional neural network CNN and graph detection | |
| CN107579956B (en) | User behavior detection method and device | |
| CN108737439B (en) | Large-scale malicious domain name detection system and method based on self-feedback learning | |
| CN111428231B (en) | Safety processing method, device and equipment based on user behaviors | |
| CN109450842A (en) | A kind of network malicious act recognition methods neural network based | |
| CN112910929B (en) | Malicious domain name detection method and device based on heterogeneous graph representation learning | |
| CN108449342A (en) | Malicious requests detection method and device | |
| Niu et al. | Identifying APT malware domain based on mobile DNS logging | |
| CN111818103B (en) | Traffic-based tracing attack path method in network target range | |
| CN107483488A (en) | A kind of malice Http detection methods and system | |
| CN111131260B (en) | Mass network malicious domain name identification and classification method and system | |
| CN102685145A (en) | Domain name server (DNS) data packet-based bot-net domain name discovery method | |
| CN108023868B (en) | Malicious resource address detection method and device | |
| CN109922065B (en) | Quick identification method for malicious website | |
| CN110650156B (en) | Method and device for clustering relationships of network entities and method for identifying network events | |
| CN104202291A (en) | Anti-phishing method based on multi-factor comprehensive assessment method | |
| CN106790062A (en) | A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute | |
| CN112333185B (en) | Domain name shadow detection method and device based on DNS (Domain name Server) resolution | |
| Soleymani et al. | A novel approach for detecting DGA-based botnets in DNS queries using machine learning techniques | |
| CN110855716B (en) | Self-adaptive security threat analysis method and system for counterfeit domain names | |
| Kumar et al. | A machine learning based approach to detect malicious fast flux networks | |
| CN107231383A (en) | The detection method and device of CC attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20231122 Address after: 214000, No. 1-5 Xueqian East Road, Liangxi District, Wuxi City, Jiangsu Province Patentee after: Wuxi Fushi Printing and Painting Education Technology Co.,Ltd. Address before: 215168 no.1188, Wuzhong Avenue, Wuzhong District, Suzhou City, Jiangsu Province Patentee before: SOOCHOW University |